Mercurial > p > roundup > code
comparison doc/upgrading.txt @ 5271:bee4008a2840
Added info on dealing with common errors when adding @csrf tokens.
| author | John Rouillard <rouilj@ieee.org> |
|---|---|
| date | Wed, 20 Sep 2017 23:01:36 -0400 |
| parents | 84a844f50d1f |
| children | c6fbd4803eae |
comparison
equal
deleted
inserted
replaced
| 5270:84a844f50d1f | 5271:bee4008a2840 |
|---|---|
| 84 If any header fails validation, the submission is | 84 If any header fails validation, the submission is |
| 85 rejected. (Note the user's form keeps all the data they | 85 rejected. (Note the user's form keeps all the data they |
| 86 entered if it was rejected.) | 86 entered if it was rejected.) |
| 87 | 87 |
| 88 Also the admin can include unique csrf tokens for all forms | 88 Also the admin can include unique csrf tokens for all forms |
| 89 submitted via post (delete and put methods are also | 89 submitted using the POST method. (Delete and put methods are also |
| 90 included, but not currently used by roundup)). The csrf | 90 included, but not currently used by roundup.) The csrf |
| 91 token (nonce) is tied to the user's session. When the user | 91 token (nonce) is tied to the user's session. When the user |
| 92 submits the form and nonce, the nonce is checked to make | 92 submits the form and nonce, the nonce is checked to make |
| 93 sure it was issued to the user and the same session. If this | 93 sure it was issued to the user and the same session. If this |
| 94 is not true the post is rejected and the user is notified. | 94 is not true the post is rejected and the user is notified. |
| 95 | 95 |
| 96 The standard context/submit templating item creates CSRF | 96 The standard context/submit templating item creates CSRF tokens by |
| 97 tokens by default. If you have forms that are not using the | 97 default. If you have forms using the POST method that are not using |
| 98 standard submit routine, you should add the following field | 98 the standard submit routine, you should add the following field to all |
| 99 to all forms: | 99 forms: |
| 100 | 100 |
| 101 <input name="@csrf" type="hidden" | 101 <input name="@csrf" type="hidden" |
| 102 tal:attributes="value python:utils.anti_csrf_nonce()"> | 102 tal:attributes="value python:utils.anti_csrf_nonce()"> |
| 103 | 103 |
| 104 A unique random token is generated by every call to | 104 A unique random token is generated by every call to |
| 132 missing. | 132 missing. |
| 133 | 133 |
| 134 It is suggested that you change your templates so every form | 134 It is suggested that you change your templates so every form |
| 135 has an @csrf field and change the setting to 'required' for | 135 has an @csrf field and change the setting to 'required' for |
| 136 the csrf_enforce_token. | 136 the csrf_enforce_token. |
| 137 | |
| 138 If you see the @csrf nonce in the URL, you have added the value to a | |
| 139 form that uses the GET method. You should remove the @csrf token from | |
| 140 these forms as it is not needed. | |
| 141 | |
| 142 If you get an error: | |
| 143 | |
| 144 AttributeError: 'list' object has no attribute 'value' | |
| 145 | |
| 146 in handle_csrf, you have more than one @csrf token for the form. This | |
| 147 usually occurs because the form uses the standard context/submit | |
| 148 element but you also added an explicit @csrf statement. Simply remove | |
| 149 the @csrf element for that form. | |
| 137 | 150 |
| 138 Support for SameSite cookie option for session cookie | 151 Support for SameSite cookie option for session cookie |
| 139 ----------------------------------------------------- | 152 ----------------------------------------------------- |
| 140 | 153 |
| 141 Support for serving the session cookie using the SameSite cookie option | 154 Support for serving the session cookie using the SameSite cookie option |